The State of Software Composition 2017

What's in your app?

An increasingly large amount of all software today consists of third-party code, either purchased or licensed consumer off-the-shelf (COTS) software or free open source software (FOSS). Software Composition Analysis (SCA) is a testing process that breaks down the individual components, the ingredients of any software, producing a Bill of Materials (BoM) that shows what vulnerabilities and software components exist within a given application.

The State of Software Composition 2017 report is based on analysis of 128,782 software applications uploaded and tested through the Black Duck Binary Analysis cloud service from January 1 through December 31, 2016.

What did we discover?

Nearly 50% of the software component versions are more than four years old

A total of 9,553 common vulnerabilities and exposures (CVEs) found

45% of the observed CVEs date back to 2013 or earlier

Why is this important?

Organizations need to determine the relative risk of integrating FOSS and third-party components as well as the overall security risk of the final software application. Additionally, if the organization must demonstrate OWASP compliance, specifically A9-Using Components with Known Vulnerabilities, this report should shed light on known problem areas.